From 03219d40d9f87039ba9d6dde6fc6dfb4373b1fee Mon Sep 17 00:00:00 2001
From: Tiziano Santoro <tzn@google.com>
Date: Thu, 27 Feb 2020 12:20:48 +0000
Subject: [PATCH] Introduce label lattice definition in Oak Runtime

Not used yet, but as a starting point for future functionality.

Ref #630
---
 oak/server/rust/oak_runtime/build.rs          |   5 +-
 oak/server/rust/oak_runtime/src/label.rs      | 218 +++++
 oak/server/rust/oak_runtime/src/lib.rs        |   1 +
 oak/server/rust/oak_runtime/src/proto/mod.rs  |   1 +
 .../rust/oak_runtime/src/proto/policy.rs      | 912 ++++++++++++++++++
 5 files changed, 1136 insertions(+), 1 deletion(-)
 create mode 100644 oak/server/rust/oak_runtime/src/label.rs
 create mode 100644 oak/server/rust/oak_runtime/src/proto/policy.rs

diff --git a/oak/server/rust/oak_runtime/build.rs b/oak/server/rust/oak_runtime/build.rs
index 41a64a7276e..efd2a61d540 100644
--- a/oak/server/rust/oak_runtime/build.rs
+++ b/oak/server/rust/oak_runtime/build.rs
@@ -17,7 +17,10 @@
 fn main() {
     oak_utils::run_protoc_rust(protoc_rust::Args {
         out_dir: "src/proto",
-        input: &["../../../../oak/proto/application.proto"],
+        input: &[
+            "../../../../oak/proto/application.proto",
+            "../../../../oak/proto/policy.proto",
+        ],
         includes: &["../../../../oak/proto"],
         customize: protoc_rust::Customize::default(),
     })
diff --git a/oak/server/rust/oak_runtime/src/label.rs b/oak/server/rust/oak_runtime/src/label.rs
new file mode 100644
index 00000000000..989b665fee9
--- /dev/null
+++ b/oak/server/rust/oak_runtime/src/label.rs
@@ -0,0 +1,218 @@
+//
+// Copyright 2020 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+use protobuf::Message;
+use std::collections::HashSet;
+
+/// A trait representing a label as part of a lattice.
+pub trait Label: Sized {
+    /// Convert the label to bytes.
+    fn serialize(&self) -> Vec<u8>;
+
+    /// Build the label from bytes.
+    fn deserialize(bytes: &[u8]) -> Option<Self>;
+
+    /// Compare two labels according to the lattice structure: L_0 ⊑ L_1.
+    fn can_flow_to(&self, other: &Self) -> bool;
+}
+
+// Implement the necessary traits on `Tag` so that it may be used in `HashSet`.
+
+impl Eq for crate::proto::policy::Tag {}
+
+#[allow(clippy::derive_hash_xor_eq)]
+impl std::hash::Hash for crate::proto::policy::Tag {
+    fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
+        // As a quick solution, we simply serialize the message and hash the resulting `Vec`.
+        let mut bytes = Vec::new();
+        self.write_to_vec(&mut bytes)
+            .expect("could not serialize to bytes");
+        bytes.hash(state);
+    }
+}
+
+impl Label for crate::proto::policy::Label {
+    fn serialize(&self) -> Vec<u8> {
+        let mut bytes = Vec::new();
+        self.write_to_vec(&mut bytes)
+            .expect("could not serialize to bytes");
+        bytes
+    }
+    fn deserialize(bytes: &[u8]) -> Option<Self> {
+        protobuf::parse_from_bytes(bytes).ok()
+    }
+
+    fn can_flow_to(&self, other: &Self) -> bool {
+        #![allow(clippy::mutable_key_type)]
+
+        let self_secrecy_tags: HashSet<_> = self.secrecy_tags.iter().collect();
+        let other_secrecy_tags: HashSet<_> = other.secrecy_tags.iter().collect();
+        let self_integrity_tags: HashSet<_> = self.integrity_tags.iter().collect();
+        let other_integrity_tags: HashSet<_> = other.integrity_tags.iter().collect();
+
+        // The target label must have (compared to the self label):
+        // - same or more secrecy tags
+        // - same or fewer integrity tags
+        self_secrecy_tags.is_subset(&other_secrecy_tags)
+            && other_integrity_tags.is_subset(&self_integrity_tags)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn authorization_bearer_token_hmac_tag(
+        authorization_bearer_token_hmac: &[u8],
+    ) -> crate::proto::policy::Tag {
+        crate::proto::policy::Tag {
+            tag: Option::Some(crate::proto::policy::Tag_oneof_tag::grpc_tag(
+                crate::proto::policy::GrpcTag {
+                    authorization_bearer_token_hmac: authorization_bearer_token_hmac.into(),
+                    ..Default::default()
+                },
+            )),
+            ..Default::default()
+        }
+    }
+
+    #[test]
+    fn serialize_deserialize() {
+        let labels = vec![
+            crate::proto::policy::Label {
+                secrecy_tags: vec![].into(),
+                integrity_tags: vec![].into(),
+                ..Default::default()
+            },
+            crate::proto::policy::Label {
+                secrecy_tags: vec![authorization_bearer_token_hmac_tag(&[0, 0, 0])].into(),
+                integrity_tags: vec![authorization_bearer_token_hmac_tag(&[1, 1, 1])].into(),
+                ..Default::default()
+            },
+            crate::proto::policy::Label {
+                secrecy_tags: vec![
+                    authorization_bearer_token_hmac_tag(&[0, 0, 0]),
+                    authorization_bearer_token_hmac_tag(&[0, 0, 0]),
+                ]
+                .into(),
+                integrity_tags: vec![
+                    authorization_bearer_token_hmac_tag(&[1, 1, 1]),
+                    authorization_bearer_token_hmac_tag(&[1, 1, 1]),
+                ]
+                .into(),
+                ..Default::default()
+            },
+            crate::proto::policy::Label {
+                secrecy_tags: vec![
+                    authorization_bearer_token_hmac_tag(&[0, 0, 0]),
+                    authorization_bearer_token_hmac_tag(&[1, 1, 1]),
+                ]
+                .into(),
+                integrity_tags: vec![
+                    authorization_bearer_token_hmac_tag(&[2, 2, 2]),
+                    authorization_bearer_token_hmac_tag(&[3, 3, 3]),
+                ]
+                .into(),
+                ..Default::default()
+            },
+        ];
+        for label in labels.iter() {
+            let bytes = label.serialize();
+            let deserialized = crate::proto::policy::Label::deserialize(&bytes).unwrap();
+            assert_eq!(*label, deserialized);
+        }
+    }
+
+    #[test]
+    fn label_flow() {
+        let tag_0 = authorization_bearer_token_hmac_tag(&[0, 0, 0]);
+        let tag_1 = authorization_bearer_token_hmac_tag(&[1, 1, 1]);
+
+        // The least privileged label.
+        //
+        // A node or channel with this label has only observed public data.
+        let public = crate::proto::policy::Label {
+            secrecy_tags: vec![].into(),
+            integrity_tags: vec![].into(),
+            ..Default::default()
+        };
+
+        // A label that corresponds to the secrecy of tag_0.
+        //
+        // A node or channel with this label may have observed data related to tag_0.
+        let label_0 = crate::proto::policy::Label {
+            secrecy_tags: vec![tag_0.clone()].into(),
+            integrity_tags: vec![].into(),
+            ..Default::default()
+        };
+
+        // A label that corresponds to the secrecy of tag_1.
+        //
+        // A node or channel with this label may have observed data related to tag_1.
+        let label_1 = crate::proto::policy::Label {
+            secrecy_tags: vec![tag_1.clone()].into(),
+            integrity_tags: vec![].into(),
+            ..Default::default()
+        };
+
+        // A label that corresponds to the combined secrecy of both tag_0 and tag_1.
+        //
+        // A node or channel with this label may have observed data related to tag_0 and tag_1.
+        let label_0_1 = crate::proto::policy::Label {
+            secrecy_tags: vec![tag_0, tag_1].into(),
+            integrity_tags: vec![].into(),
+            ..Default::default()
+        };
+
+        // These labels form a lattice with the following shape:
+        //
+        //            label_0_1
+        //              /  \
+        //             /    \
+        //       label_0    label_1
+        //             \     /
+        //              \   /
+        //              public
+
+        // Data with any label can flow to the same label.
+        assert_eq!(true, public.can_flow_to(&public));
+        assert_eq!(true, label_0.can_flow_to(&label_0));
+        assert_eq!(true, label_1.can_flow_to(&label_1));
+        assert_eq!(true, label_0_1.can_flow_to(&label_0_1));
+
+        // Public data can flow to more private data;
+        assert_eq!(true, public.can_flow_to(&label_0));
+        assert_eq!(true, public.can_flow_to(&label_1));
+        assert_eq!(true, public.can_flow_to(&label_0_1));
+
+        // Private data cannot flow to public.
+        assert_eq!(false, label_0.can_flow_to(&public));
+        assert_eq!(false, label_1.can_flow_to(&public));
+        assert_eq!(false, label_0_1.can_flow_to(&public));
+
+        // Private data with non-comparable labels cannot flow to each other.
+        assert_eq!(false, label_0.can_flow_to(&label_1));
+        assert_eq!(false, label_1.can_flow_to(&label_0));
+
+        // Private data can flow to even more private data.
+        assert_eq!(true, label_0.can_flow_to(&label_0_1));
+        assert_eq!(true, label_1.can_flow_to(&label_0_1));
+
+        // And vice versa.
+        assert_eq!(false, label_0_1.can_flow_to(&label_0));
+        assert_eq!(false, label_0_1.can_flow_to(&label_1));
+    }
+}
diff --git a/oak/server/rust/oak_runtime/src/lib.rs b/oak/server/rust/oak_runtime/src/lib.rs
index 72a0893d132..29503286351 100644
--- a/oak/server/rust/oak_runtime/src/lib.rs
+++ b/oak/server/rust/oak_runtime/src/lib.rs
@@ -26,6 +26,7 @@ pub mod proto;
 
 pub mod channel;
 pub mod config;
+pub mod label;
 pub mod message;
 pub mod node;
 pub mod runtime;
diff --git a/oak/server/rust/oak_runtime/src/proto/mod.rs b/oak/server/rust/oak_runtime/src/proto/mod.rs
index c67111e87fa..9c416c7e05b 100644
--- a/oak/server/rust/oak_runtime/src/proto/mod.rs
+++ b/oak/server/rust/oak_runtime/src/proto/mod.rs
@@ -16,3 +16,4 @@
 
 #[allow(clippy::all)]
 pub mod application;
+pub mod policy;
diff --git a/oak/server/rust/oak_runtime/src/proto/policy.rs b/oak/server/rust/oak_runtime/src/proto/policy.rs
new file mode 100644
index 00000000000..b6cc49dd4c9
--- /dev/null
+++ b/oak/server/rust/oak_runtime/src/proto/policy.rs
@@ -0,0 +1,912 @@
+// This file is generated by rust-protobuf 2.10.1. Do not edit
+// @generated
+
+// https://github.com/rust-lang/rust-clippy/issues/702
+#![allow(unknown_lints)]
+#![allow(clippy::all)]
+
+#![cfg_attr(rustfmt, rustfmt_skip)]
+
+#![allow(box_pointers)]
+#![allow(dead_code)]
+#![allow(missing_docs)]
+#![allow(non_camel_case_types)]
+#![allow(non_snake_case)]
+#![allow(non_upper_case_globals)]
+#![allow(trivial_casts)]
+#![allow(unsafe_code)]
+#![allow(unused_imports)]
+#![allow(unused_results)]
+//! Generated file from `policy.proto`
+
+use protobuf::Message as Message_imported_for_functions;
+use protobuf::ProtobufEnum as ProtobufEnum_imported_for_functions;
+
+/// Generated files are compatible only with the same version
+/// of protobuf runtime.
+// const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_2_10_1;
+
+#[derive(PartialEq,Clone,Default)]
+pub struct Label {
+    // message fields
+    pub secrecy_tags: ::protobuf::RepeatedField<Tag>,
+    pub integrity_tags: ::protobuf::RepeatedField<Tag>,
+    // special fields
+    pub unknown_fields: ::protobuf::UnknownFields,
+    pub cached_size: ::protobuf::CachedSize,
+}
+
+impl<'a> ::std::default::Default for &'a Label {
+    fn default() -> &'a Label {
+        <Label as ::protobuf::Message>::default_instance()
+    }
+}
+
+impl Label {
+    pub fn new() -> Label {
+        ::std::default::Default::default()
+    }
+
+    // repeated .oak.policy.Tag secrecy_tags = 1;
+
+
+    pub fn get_secrecy_tags(&self) -> &[Tag] {
+        &self.secrecy_tags
+    }
+    pub fn clear_secrecy_tags(&mut self) {
+        self.secrecy_tags.clear();
+    }
+
+    // Param is passed by value, moved
+    pub fn set_secrecy_tags(&mut self, v: ::protobuf::RepeatedField<Tag>) {
+        self.secrecy_tags = v;
+    }
+
+    // Mutable pointer to the field.
+    pub fn mut_secrecy_tags(&mut self) -> &mut ::protobuf::RepeatedField<Tag> {
+        &mut self.secrecy_tags
+    }
+
+    // Take field
+    pub fn take_secrecy_tags(&mut self) -> ::protobuf::RepeatedField<Tag> {
+        ::std::mem::replace(&mut self.secrecy_tags, ::protobuf::RepeatedField::new())
+    }
+
+    // repeated .oak.policy.Tag integrity_tags = 2;
+
+
+    pub fn get_integrity_tags(&self) -> &[Tag] {
+        &self.integrity_tags
+    }
+    pub fn clear_integrity_tags(&mut self) {
+        self.integrity_tags.clear();
+    }
+
+    // Param is passed by value, moved
+    pub fn set_integrity_tags(&mut self, v: ::protobuf::RepeatedField<Tag>) {
+        self.integrity_tags = v;
+    }
+
+    // Mutable pointer to the field.
+    pub fn mut_integrity_tags(&mut self) -> &mut ::protobuf::RepeatedField<Tag> {
+        &mut self.integrity_tags
+    }
+
+    // Take field
+    pub fn take_integrity_tags(&mut self) -> ::protobuf::RepeatedField<Tag> {
+        ::std::mem::replace(&mut self.integrity_tags, ::protobuf::RepeatedField::new())
+    }
+}
+
+impl ::protobuf::Message for Label {
+    fn is_initialized(&self) -> bool {
+        for v in &self.secrecy_tags {
+            if !v.is_initialized() {
+                return false;
+            }
+        };
+        for v in &self.integrity_tags {
+            if !v.is_initialized() {
+                return false;
+            }
+        };
+        true
+    }
+
+    fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::ProtobufResult<()> {
+        while !is.eof()? {
+            let (field_number, wire_type) = is.read_tag_unpack()?;
+            match field_number {
+                1 => {
+                    ::protobuf::rt::read_repeated_message_into(wire_type, is, &mut self.secrecy_tags)?;
+                },
+                2 => {
+                    ::protobuf::rt::read_repeated_message_into(wire_type, is, &mut self.integrity_tags)?;
+                },
+                _ => {
+                    ::protobuf::rt::read_unknown_or_skip_group(field_number, wire_type, is, self.mut_unknown_fields())?;
+                },
+            };
+        }
+        ::std::result::Result::Ok(())
+    }
+
+    // Compute sizes of nested messages
+    #[allow(unused_variables)]
+    fn compute_size(&self) -> u32 {
+        let mut my_size = 0;
+        for value in &self.secrecy_tags {
+            let len = value.compute_size();
+            my_size += 1 + ::protobuf::rt::compute_raw_varint32_size(len) + len;
+        };
+        for value in &self.integrity_tags {
+            let len = value.compute_size();
+            my_size += 1 + ::protobuf::rt::compute_raw_varint32_size(len) + len;
+        };
+        my_size += ::protobuf::rt::unknown_fields_size(self.get_unknown_fields());
+        self.cached_size.set(my_size);
+        my_size
+    }
+
+    fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::ProtobufResult<()> {
+        for v in &self.secrecy_tags {
+            os.write_tag(1, ::protobuf::wire_format::WireTypeLengthDelimited)?;
+            os.write_raw_varint32(v.get_cached_size())?;
+            v.write_to_with_cached_sizes(os)?;
+        };
+        for v in &self.integrity_tags {
+            os.write_tag(2, ::protobuf::wire_format::WireTypeLengthDelimited)?;
+            os.write_raw_varint32(v.get_cached_size())?;
+            v.write_to_with_cached_sizes(os)?;
+        };
+        os.write_unknown_fields(self.get_unknown_fields())?;
+        ::std::result::Result::Ok(())
+    }
+
+    fn get_cached_size(&self) -> u32 {
+        self.cached_size.get()
+    }
+
+    fn get_unknown_fields(&self) -> &::protobuf::UnknownFields {
+        &self.unknown_fields
+    }
+
+    fn mut_unknown_fields(&mut self) -> &mut ::protobuf::UnknownFields {
+        &mut self.unknown_fields
+    }
+
+    fn as_any(&self) -> &dyn (::std::any::Any) {
+        self as &dyn (::std::any::Any)
+    }
+    fn as_any_mut(&mut self) -> &mut dyn (::std::any::Any) {
+        self as &mut dyn (::std::any::Any)
+    }
+    fn into_any(self: Box<Self>) -> ::std::boxed::Box<dyn (::std::any::Any)> {
+        self
+    }
+
+    fn descriptor(&self) -> &'static ::protobuf::reflect::MessageDescriptor {
+        Self::descriptor_static()
+    }
+
+    fn new() -> Label {
+        Label::new()
+    }
+
+    fn descriptor_static() -> &'static ::protobuf::reflect::MessageDescriptor {
+        static mut descriptor: ::protobuf::lazy::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::lazy::Lazy {
+            lock: ::protobuf::lazy::ONCE_INIT,
+            ptr: 0 as *const ::protobuf::reflect::MessageDescriptor,
+        };
+        unsafe {
+            descriptor.get(|| {
+                let mut fields = ::std::vec::Vec::new();
+                fields.push(::protobuf::reflect::accessor::make_repeated_field_accessor::<_, ::protobuf::types::ProtobufTypeMessage<Tag>>(
+                    "secrecy_tags",
+                    |m: &Label| { &m.secrecy_tags },
+                    |m: &mut Label| { &mut m.secrecy_tags },
+                ));
+                fields.push(::protobuf::reflect::accessor::make_repeated_field_accessor::<_, ::protobuf::types::ProtobufTypeMessage<Tag>>(
+                    "integrity_tags",
+                    |m: &Label| { &m.integrity_tags },
+                    |m: &mut Label| { &mut m.integrity_tags },
+                ));
+                ::protobuf::reflect::MessageDescriptor::new::<Label>(
+                    "Label",
+                    fields,
+                    file_descriptor_proto()
+                )
+            })
+        }
+    }
+
+    fn default_instance() -> &'static Label {
+        static mut instance: ::protobuf::lazy::Lazy<Label> = ::protobuf::lazy::Lazy {
+            lock: ::protobuf::lazy::ONCE_INIT,
+            ptr: 0 as *const Label,
+        };
+        unsafe {
+            instance.get(Label::new)
+        }
+    }
+}
+
+impl ::protobuf::Clear for Label {
+    fn clear(&mut self) {
+        self.secrecy_tags.clear();
+        self.integrity_tags.clear();
+        self.unknown_fields.clear();
+    }
+}
+
+impl ::std::fmt::Debug for Label {
+    fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
+        ::protobuf::text_format::fmt(self, f)
+    }
+}
+
+impl ::protobuf::reflect::ProtobufValue for Label {
+    fn as_ref(&self) -> ::protobuf::reflect::ProtobufValueRef {
+        ::protobuf::reflect::ProtobufValueRef::Message(self)
+    }
+}
+
+#[derive(PartialEq,Clone,Default)]
+pub struct Tag {
+    // message oneof groups
+    pub tag: ::std::option::Option<Tag_oneof_tag>,
+    // special fields
+    pub unknown_fields: ::protobuf::UnknownFields,
+    pub cached_size: ::protobuf::CachedSize,
+}
+
+impl<'a> ::std::default::Default for &'a Tag {
+    fn default() -> &'a Tag {
+        <Tag as ::protobuf::Message>::default_instance()
+    }
+}
+
+#[derive(Clone,PartialEq,Debug)]
+pub enum Tag_oneof_tag {
+    grpc_tag(GrpcTag),
+    web_assembly_module_tag(WebAssemblyModuleTag),
+}
+
+impl Tag {
+    pub fn new() -> Tag {
+        ::std::default::Default::default()
+    }
+
+    // .oak.policy.GrpcTag grpc_tag = 1;
+
+
+    pub fn get_grpc_tag(&self) -> &GrpcTag {
+        match self.tag {
+            ::std::option::Option::Some(Tag_oneof_tag::grpc_tag(ref v)) => v,
+            _ => GrpcTag::default_instance(),
+        }
+    }
+    pub fn clear_grpc_tag(&mut self) {
+        self.tag = ::std::option::Option::None;
+    }
+
+    pub fn has_grpc_tag(&self) -> bool {
+        match self.tag {
+            ::std::option::Option::Some(Tag_oneof_tag::grpc_tag(..)) => true,
+            _ => false,
+        }
+    }
+
+    // Param is passed by value, moved
+    pub fn set_grpc_tag(&mut self, v: GrpcTag) {
+        self.tag = ::std::option::Option::Some(Tag_oneof_tag::grpc_tag(v))
+    }
+
+    // Mutable pointer to the field.
+    pub fn mut_grpc_tag(&mut self) -> &mut GrpcTag {
+        if let ::std::option::Option::Some(Tag_oneof_tag::grpc_tag(_)) = self.tag {
+        } else {
+            self.tag = ::std::option::Option::Some(Tag_oneof_tag::grpc_tag(GrpcTag::new()));
+        }
+        match self.tag {
+            ::std::option::Option::Some(Tag_oneof_tag::grpc_tag(ref mut v)) => v,
+            _ => panic!(),
+        }
+    }
+
+    // Take field
+    pub fn take_grpc_tag(&mut self) -> GrpcTag {
+        if self.has_grpc_tag() {
+            match self.tag.take() {
+                ::std::option::Option::Some(Tag_oneof_tag::grpc_tag(v)) => v,
+                _ => panic!(),
+            }
+        } else {
+            GrpcTag::new()
+        }
+    }
+
+    // .oak.policy.WebAssemblyModuleTag web_assembly_module_tag = 2;
+
+
+    pub fn get_web_assembly_module_tag(&self) -> &WebAssemblyModuleTag {
+        match self.tag {
+            ::std::option::Option::Some(Tag_oneof_tag::web_assembly_module_tag(ref v)) => v,
+            _ => WebAssemblyModuleTag::default_instance(),
+        }
+    }
+    pub fn clear_web_assembly_module_tag(&mut self) {
+        self.tag = ::std::option::Option::None;
+    }
+
+    pub fn has_web_assembly_module_tag(&self) -> bool {
+        match self.tag {
+            ::std::option::Option::Some(Tag_oneof_tag::web_assembly_module_tag(..)) => true,
+            _ => false,
+        }
+    }
+
+    // Param is passed by value, moved
+    pub fn set_web_assembly_module_tag(&mut self, v: WebAssemblyModuleTag) {
+        self.tag = ::std::option::Option::Some(Tag_oneof_tag::web_assembly_module_tag(v))
+    }
+
+    // Mutable pointer to the field.
+    pub fn mut_web_assembly_module_tag(&mut self) -> &mut WebAssemblyModuleTag {
+        if let ::std::option::Option::Some(Tag_oneof_tag::web_assembly_module_tag(_)) = self.tag {
+        } else {
+            self.tag = ::std::option::Option::Some(Tag_oneof_tag::web_assembly_module_tag(WebAssemblyModuleTag::new()));
+        }
+        match self.tag {
+            ::std::option::Option::Some(Tag_oneof_tag::web_assembly_module_tag(ref mut v)) => v,
+            _ => panic!(),
+        }
+    }
+
+    // Take field
+    pub fn take_web_assembly_module_tag(&mut self) -> WebAssemblyModuleTag {
+        if self.has_web_assembly_module_tag() {
+            match self.tag.take() {
+                ::std::option::Option::Some(Tag_oneof_tag::web_assembly_module_tag(v)) => v,
+                _ => panic!(),
+            }
+        } else {
+            WebAssemblyModuleTag::new()
+        }
+    }
+}
+
+impl ::protobuf::Message for Tag {
+    fn is_initialized(&self) -> bool {
+        if let Some(Tag_oneof_tag::grpc_tag(ref v)) = self.tag {
+            if !v.is_initialized() {
+                return false;
+            }
+        }
+        if let Some(Tag_oneof_tag::web_assembly_module_tag(ref v)) = self.tag {
+            if !v.is_initialized() {
+                return false;
+            }
+        }
+        true
+    }
+
+    fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::ProtobufResult<()> {
+        while !is.eof()? {
+            let (field_number, wire_type) = is.read_tag_unpack()?;
+            match field_number {
+                1 => {
+                    if wire_type != ::protobuf::wire_format::WireTypeLengthDelimited {
+                        return ::std::result::Result::Err(::protobuf::rt::unexpected_wire_type(wire_type));
+                    }
+                    self.tag = ::std::option::Option::Some(Tag_oneof_tag::grpc_tag(is.read_message()?));
+                },
+                2 => {
+                    if wire_type != ::protobuf::wire_format::WireTypeLengthDelimited {
+                        return ::std::result::Result::Err(::protobuf::rt::unexpected_wire_type(wire_type));
+                    }
+                    self.tag = ::std::option::Option::Some(Tag_oneof_tag::web_assembly_module_tag(is.read_message()?));
+                },
+                _ => {
+                    ::protobuf::rt::read_unknown_or_skip_group(field_number, wire_type, is, self.mut_unknown_fields())?;
+                },
+            };
+        }
+        ::std::result::Result::Ok(())
+    }
+
+    // Compute sizes of nested messages
+    #[allow(unused_variables)]
+    fn compute_size(&self) -> u32 {
+        let mut my_size = 0;
+        if let ::std::option::Option::Some(ref v) = self.tag {
+            match v {
+                &Tag_oneof_tag::grpc_tag(ref v) => {
+                    let len = v.compute_size();
+                    my_size += 1 + ::protobuf::rt::compute_raw_varint32_size(len) + len;
+                },
+                &Tag_oneof_tag::web_assembly_module_tag(ref v) => {
+                    let len = v.compute_size();
+                    my_size += 1 + ::protobuf::rt::compute_raw_varint32_size(len) + len;
+                },
+            };
+        }
+        my_size += ::protobuf::rt::unknown_fields_size(self.get_unknown_fields());
+        self.cached_size.set(my_size);
+        my_size
+    }
+
+    fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::ProtobufResult<()> {
+        if let ::std::option::Option::Some(ref v) = self.tag {
+            match v {
+                &Tag_oneof_tag::grpc_tag(ref v) => {
+                    os.write_tag(1, ::protobuf::wire_format::WireTypeLengthDelimited)?;
+                    os.write_raw_varint32(v.get_cached_size())?;
+                    v.write_to_with_cached_sizes(os)?;
+                },
+                &Tag_oneof_tag::web_assembly_module_tag(ref v) => {
+                    os.write_tag(2, ::protobuf::wire_format::WireTypeLengthDelimited)?;
+                    os.write_raw_varint32(v.get_cached_size())?;
+                    v.write_to_with_cached_sizes(os)?;
+                },
+            };
+        }
+        os.write_unknown_fields(self.get_unknown_fields())?;
+        ::std::result::Result::Ok(())
+    }
+
+    fn get_cached_size(&self) -> u32 {
+        self.cached_size.get()
+    }
+
+    fn get_unknown_fields(&self) -> &::protobuf::UnknownFields {
+        &self.unknown_fields
+    }
+
+    fn mut_unknown_fields(&mut self) -> &mut ::protobuf::UnknownFields {
+        &mut self.unknown_fields
+    }
+
+    fn as_any(&self) -> &dyn (::std::any::Any) {
+        self as &dyn (::std::any::Any)
+    }
+    fn as_any_mut(&mut self) -> &mut dyn (::std::any::Any) {
+        self as &mut dyn (::std::any::Any)
+    }
+    fn into_any(self: Box<Self>) -> ::std::boxed::Box<dyn (::std::any::Any)> {
+        self
+    }
+
+    fn descriptor(&self) -> &'static ::protobuf::reflect::MessageDescriptor {
+        Self::descriptor_static()
+    }
+
+    fn new() -> Tag {
+        Tag::new()
+    }
+
+    fn descriptor_static() -> &'static ::protobuf::reflect::MessageDescriptor {
+        static mut descriptor: ::protobuf::lazy::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::lazy::Lazy {
+            lock: ::protobuf::lazy::ONCE_INIT,
+            ptr: 0 as *const ::protobuf::reflect::MessageDescriptor,
+        };
+        unsafe {
+            descriptor.get(|| {
+                let mut fields = ::std::vec::Vec::new();
+                fields.push(::protobuf::reflect::accessor::make_singular_message_accessor::<_, GrpcTag>(
+                    "grpc_tag",
+                    Tag::has_grpc_tag,
+                    Tag::get_grpc_tag,
+                ));
+                fields.push(::protobuf::reflect::accessor::make_singular_message_accessor::<_, WebAssemblyModuleTag>(
+                    "web_assembly_module_tag",
+                    Tag::has_web_assembly_module_tag,
+                    Tag::get_web_assembly_module_tag,
+                ));
+                ::protobuf::reflect::MessageDescriptor::new::<Tag>(
+                    "Tag",
+                    fields,
+                    file_descriptor_proto()
+                )
+            })
+        }
+    }
+
+    fn default_instance() -> &'static Tag {
+        static mut instance: ::protobuf::lazy::Lazy<Tag> = ::protobuf::lazy::Lazy {
+            lock: ::protobuf::lazy::ONCE_INIT,
+            ptr: 0 as *const Tag,
+        };
+        unsafe {
+            instance.get(Tag::new)
+        }
+    }
+}
+
+impl ::protobuf::Clear for Tag {
+    fn clear(&mut self) {
+        self.tag = ::std::option::Option::None;
+        self.tag = ::std::option::Option::None;
+        self.unknown_fields.clear();
+    }
+}
+
+impl ::std::fmt::Debug for Tag {
+    fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
+        ::protobuf::text_format::fmt(self, f)
+    }
+}
+
+impl ::protobuf::reflect::ProtobufValue for Tag {
+    fn as_ref(&self) -> ::protobuf::reflect::ProtobufValueRef {
+        ::protobuf::reflect::ProtobufValueRef::Message(self)
+    }
+}
+
+#[derive(PartialEq,Clone,Default)]
+pub struct GrpcTag {
+    // message fields
+    pub authorization_bearer_token_hmac: ::std::vec::Vec<u8>,
+    // special fields
+    pub unknown_fields: ::protobuf::UnknownFields,
+    pub cached_size: ::protobuf::CachedSize,
+}
+
+impl<'a> ::std::default::Default for &'a GrpcTag {
+    fn default() -> &'a GrpcTag {
+        <GrpcTag as ::protobuf::Message>::default_instance()
+    }
+}
+
+impl GrpcTag {
+    pub fn new() -> GrpcTag {
+        ::std::default::Default::default()
+    }
+
+    // bytes authorization_bearer_token_hmac = 1;
+
+
+    pub fn get_authorization_bearer_token_hmac(&self) -> &[u8] {
+        &self.authorization_bearer_token_hmac
+    }
+    pub fn clear_authorization_bearer_token_hmac(&mut self) {
+        self.authorization_bearer_token_hmac.clear();
+    }
+
+    // Param is passed by value, moved
+    pub fn set_authorization_bearer_token_hmac(&mut self, v: ::std::vec::Vec<u8>) {
+        self.authorization_bearer_token_hmac = v;
+    }
+
+    // Mutable pointer to the field.
+    // If field is not initialized, it is initialized with default value first.
+    pub fn mut_authorization_bearer_token_hmac(&mut self) -> &mut ::std::vec::Vec<u8> {
+        &mut self.authorization_bearer_token_hmac
+    }
+
+    // Take field
+    pub fn take_authorization_bearer_token_hmac(&mut self) -> ::std::vec::Vec<u8> {
+        ::std::mem::replace(&mut self.authorization_bearer_token_hmac, ::std::vec::Vec::new())
+    }
+}
+
+impl ::protobuf::Message for GrpcTag {
+    fn is_initialized(&self) -> bool {
+        true
+    }
+
+    fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::ProtobufResult<()> {
+        while !is.eof()? {
+            let (field_number, wire_type) = is.read_tag_unpack()?;
+            match field_number {
+                1 => {
+                    ::protobuf::rt::read_singular_proto3_bytes_into(wire_type, is, &mut self.authorization_bearer_token_hmac)?;
+                },
+                _ => {
+                    ::protobuf::rt::read_unknown_or_skip_group(field_number, wire_type, is, self.mut_unknown_fields())?;
+                },
+            };
+        }
+        ::std::result::Result::Ok(())
+    }
+
+    // Compute sizes of nested messages
+    #[allow(unused_variables)]
+    fn compute_size(&self) -> u32 {
+        let mut my_size = 0;
+        if !self.authorization_bearer_token_hmac.is_empty() {
+            my_size += ::protobuf::rt::bytes_size(1, &self.authorization_bearer_token_hmac);
+        }
+        my_size += ::protobuf::rt::unknown_fields_size(self.get_unknown_fields());
+        self.cached_size.set(my_size);
+        my_size
+    }
+
+    fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::ProtobufResult<()> {
+        if !self.authorization_bearer_token_hmac.is_empty() {
+            os.write_bytes(1, &self.authorization_bearer_token_hmac)?;
+        }
+        os.write_unknown_fields(self.get_unknown_fields())?;
+        ::std::result::Result::Ok(())
+    }
+
+    fn get_cached_size(&self) -> u32 {
+        self.cached_size.get()
+    }
+
+    fn get_unknown_fields(&self) -> &::protobuf::UnknownFields {
+        &self.unknown_fields
+    }
+
+    fn mut_unknown_fields(&mut self) -> &mut ::protobuf::UnknownFields {
+        &mut self.unknown_fields
+    }
+
+    fn as_any(&self) -> &dyn (::std::any::Any) {
+        self as &dyn (::std::any::Any)
+    }
+    fn as_any_mut(&mut self) -> &mut dyn (::std::any::Any) {
+        self as &mut dyn (::std::any::Any)
+    }
+    fn into_any(self: Box<Self>) -> ::std::boxed::Box<dyn (::std::any::Any)> {
+        self
+    }
+
+    fn descriptor(&self) -> &'static ::protobuf::reflect::MessageDescriptor {
+        Self::descriptor_static()
+    }
+
+    fn new() -> GrpcTag {
+        GrpcTag::new()
+    }
+
+    fn descriptor_static() -> &'static ::protobuf::reflect::MessageDescriptor {
+        static mut descriptor: ::protobuf::lazy::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::lazy::Lazy {
+            lock: ::protobuf::lazy::ONCE_INIT,
+            ptr: 0 as *const ::protobuf::reflect::MessageDescriptor,
+        };
+        unsafe {
+            descriptor.get(|| {
+                let mut fields = ::std::vec::Vec::new();
+                fields.push(::protobuf::reflect::accessor::make_simple_field_accessor::<_, ::protobuf::types::ProtobufTypeBytes>(
+                    "authorization_bearer_token_hmac",
+                    |m: &GrpcTag| { &m.authorization_bearer_token_hmac },
+                    |m: &mut GrpcTag| { &mut m.authorization_bearer_token_hmac },
+                ));
+                ::protobuf::reflect::MessageDescriptor::new::<GrpcTag>(
+                    "GrpcTag",
+                    fields,
+                    file_descriptor_proto()
+                )
+            })
+        }
+    }
+
+    fn default_instance() -> &'static GrpcTag {
+        static mut instance: ::protobuf::lazy::Lazy<GrpcTag> = ::protobuf::lazy::Lazy {
+            lock: ::protobuf::lazy::ONCE_INIT,
+            ptr: 0 as *const GrpcTag,
+        };
+        unsafe {
+            instance.get(GrpcTag::new)
+        }
+    }
+}
+
+impl ::protobuf::Clear for GrpcTag {
+    fn clear(&mut self) {
+        self.authorization_bearer_token_hmac.clear();
+        self.unknown_fields.clear();
+    }
+}
+
+impl ::std::fmt::Debug for GrpcTag {
+    fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
+        ::protobuf::text_format::fmt(self, f)
+    }
+}
+
+impl ::protobuf::reflect::ProtobufValue for GrpcTag {
+    fn as_ref(&self) -> ::protobuf::reflect::ProtobufValueRef {
+        ::protobuf::reflect::ProtobufValueRef::Message(self)
+    }
+}
+
+#[derive(PartialEq,Clone,Default)]
+pub struct WebAssemblyModuleTag {
+    // message fields
+    pub module_attestation: ::std::vec::Vec<u8>,
+    // special fields
+    pub unknown_fields: ::protobuf::UnknownFields,
+    pub cached_size: ::protobuf::CachedSize,
+}
+
+impl<'a> ::std::default::Default for &'a WebAssemblyModuleTag {
+    fn default() -> &'a WebAssemblyModuleTag {
+        <WebAssemblyModuleTag as ::protobuf::Message>::default_instance()
+    }
+}
+
+impl WebAssemblyModuleTag {
+    pub fn new() -> WebAssemblyModuleTag {
+        ::std::default::Default::default()
+    }
+
+    // bytes module_attestation = 1;
+
+
+    pub fn get_module_attestation(&self) -> &[u8] {
+        &self.module_attestation
+    }
+    pub fn clear_module_attestation(&mut self) {
+        self.module_attestation.clear();
+    }
+
+    // Param is passed by value, moved
+    pub fn set_module_attestation(&mut self, v: ::std::vec::Vec<u8>) {
+        self.module_attestation = v;
+    }
+
+    // Mutable pointer to the field.
+    // If field is not initialized, it is initialized with default value first.
+    pub fn mut_module_attestation(&mut self) -> &mut ::std::vec::Vec<u8> {
+        &mut self.module_attestation
+    }
+
+    // Take field
+    pub fn take_module_attestation(&mut self) -> ::std::vec::Vec<u8> {
+        ::std::mem::replace(&mut self.module_attestation, ::std::vec::Vec::new())
+    }
+}
+
+impl ::protobuf::Message for WebAssemblyModuleTag {
+    fn is_initialized(&self) -> bool {
+        true
+    }
+
+    fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::ProtobufResult<()> {
+        while !is.eof()? {
+            let (field_number, wire_type) = is.read_tag_unpack()?;
+            match field_number {
+                1 => {
+                    ::protobuf::rt::read_singular_proto3_bytes_into(wire_type, is, &mut self.module_attestation)?;
+                },
+                _ => {
+                    ::protobuf::rt::read_unknown_or_skip_group(field_number, wire_type, is, self.mut_unknown_fields())?;
+                },
+            };
+        }
+        ::std::result::Result::Ok(())
+    }
+
+    // Compute sizes of nested messages
+    #[allow(unused_variables)]
+    fn compute_size(&self) -> u32 {
+        let mut my_size = 0;
+        if !self.module_attestation.is_empty() {
+            my_size += ::protobuf::rt::bytes_size(1, &self.module_attestation);
+        }
+        my_size += ::protobuf::rt::unknown_fields_size(self.get_unknown_fields());
+        self.cached_size.set(my_size);
+        my_size
+    }
+
+    fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::ProtobufResult<()> {
+        if !self.module_attestation.is_empty() {
+            os.write_bytes(1, &self.module_attestation)?;
+        }
+        os.write_unknown_fields(self.get_unknown_fields())?;
+        ::std::result::Result::Ok(())
+    }
+
+    fn get_cached_size(&self) -> u32 {
+        self.cached_size.get()
+    }
+
+    fn get_unknown_fields(&self) -> &::protobuf::UnknownFields {
+        &self.unknown_fields
+    }
+
+    fn mut_unknown_fields(&mut self) -> &mut ::protobuf::UnknownFields {
+        &mut self.unknown_fields
+    }
+
+    fn as_any(&self) -> &dyn (::std::any::Any) {
+        self as &dyn (::std::any::Any)
+    }
+    fn as_any_mut(&mut self) -> &mut dyn (::std::any::Any) {
+        self as &mut dyn (::std::any::Any)
+    }
+    fn into_any(self: Box<Self>) -> ::std::boxed::Box<dyn (::std::any::Any)> {
+        self
+    }
+
+    fn descriptor(&self) -> &'static ::protobuf::reflect::MessageDescriptor {
+        Self::descriptor_static()
+    }
+
+    fn new() -> WebAssemblyModuleTag {
+        WebAssemblyModuleTag::new()
+    }
+
+    fn descriptor_static() -> &'static ::protobuf::reflect::MessageDescriptor {
+        static mut descriptor: ::protobuf::lazy::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::lazy::Lazy {
+            lock: ::protobuf::lazy::ONCE_INIT,
+            ptr: 0 as *const ::protobuf::reflect::MessageDescriptor,
+        };
+        unsafe {
+            descriptor.get(|| {
+                let mut fields = ::std::vec::Vec::new();
+                fields.push(::protobuf::reflect::accessor::make_simple_field_accessor::<_, ::protobuf::types::ProtobufTypeBytes>(
+                    "module_attestation",
+                    |m: &WebAssemblyModuleTag| { &m.module_attestation },
+                    |m: &mut WebAssemblyModuleTag| { &mut m.module_attestation },
+                ));
+                ::protobuf::reflect::MessageDescriptor::new::<WebAssemblyModuleTag>(
+                    "WebAssemblyModuleTag",
+                    fields,
+                    file_descriptor_proto()
+                )
+            })
+        }
+    }
+
+    fn default_instance() -> &'static WebAssemblyModuleTag {
+        static mut instance: ::protobuf::lazy::Lazy<WebAssemblyModuleTag> = ::protobuf::lazy::Lazy {
+            lock: ::protobuf::lazy::ONCE_INIT,
+            ptr: 0 as *const WebAssemblyModuleTag,
+        };
+        unsafe {
+            instance.get(WebAssemblyModuleTag::new)
+        }
+    }
+}
+
+impl ::protobuf::Clear for WebAssemblyModuleTag {
+    fn clear(&mut self) {
+        self.module_attestation.clear();
+        self.unknown_fields.clear();
+    }
+}
+
+impl ::std::fmt::Debug for WebAssemblyModuleTag {
+    fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
+        ::protobuf::text_format::fmt(self, f)
+    }
+}
+
+impl ::protobuf::reflect::ProtobufValue for WebAssemblyModuleTag {
+    fn as_ref(&self) -> ::protobuf::reflect::ProtobufValueRef {
+        ::protobuf::reflect::ProtobufValueRef::Message(self)
+    }
+}
+
+static file_descriptor_proto_data: &'static [u8] = b"\
+    \n\x0cpolicy.proto\x12\noak.policy\"s\n\x05Label\x122\n\x0csecrecy_tags\
+    \x18\x01\x20\x03(\x0b2\x0f.oak.policy.TagR\x0bsecrecyTags\x126\n\x0einte\
+    grity_tags\x18\x02\x20\x03(\x0b2\x0f.oak.policy.TagR\rintegrityTags\"\
+    \x99\x01\n\x03Tag\x120\n\x08grpc_tag\x18\x01\x20\x01(\x0b2\x13.oak.polic\
+    y.GrpcTagH\0R\x07grpcTag\x12Y\n\x17web_assembly_module_tag\x18\x02\x20\
+    \x01(\x0b2\x20.oak.policy.WebAssemblyModuleTagH\0R\x14webAssemblyModuleT\
+    agB\x05\n\x03tag\"P\n\x07GrpcTag\x12E\n\x1fauthorization_bearer_token_hm\
+    ac\x18\x01\x20\x01(\x0cR\x1cauthorizationBearerTokenHmac\"E\n\x14WebAsse\
+    mblyModuleTag\x12-\n\x12module_attestation\x18\x01\x20\x01(\x0cR\x11modu\
+    leAttestationb\x06proto3\
+";
+
+static mut file_descriptor_proto_lazy: ::protobuf::lazy::Lazy<::protobuf::descriptor::FileDescriptorProto> = ::protobuf::lazy::Lazy {
+    lock: ::protobuf::lazy::ONCE_INIT,
+    ptr: 0 as *const ::protobuf::descriptor::FileDescriptorProto,
+};
+
+fn parse_descriptor_proto() -> ::protobuf::descriptor::FileDescriptorProto {
+    ::protobuf::parse_from_bytes(file_descriptor_proto_data).unwrap()
+}
+
+pub fn file_descriptor_proto() -> &'static ::protobuf::descriptor::FileDescriptorProto {
+    unsafe {
+        file_descriptor_proto_lazy.get(|| {
+            parse_descriptor_proto()
+        })
+    }
+}